U.S. patent application number 10/544172 was filed with the patent office on 2006-03-16 for key expansion for qkd.
This patent application is currently assigned to Magiq Technologies Inc.. Invention is credited to Audrius Berzanskis, Alexei Trifonov.
Application Number | 20060059343 10/544172 |
Document ID | / |
Family ID | 32869422 |
Filed Date | 2006-03-16 |
United States Patent
Application |
20060059343 |
Kind Code |
A1 |
Berzanskis; Audrius ; et
al. |
March 16, 2006 |
Key expansion for qkd
Abstract
A method of encrypting information using an encryption pad based
on keys exchanged between quantum key distribution (QKD) stations
is disclosed. The method includes establishing raw keys between two
stations using QKD, processing the keys to establish a plurality of
matching privacy amplified keys at each station and buffering the
keys in a shared key schedule. The method also includes the option
of expanding one or more of the keys in the shared key schedule
using a stream cipher to create a supply of expanded keys that
serve as pads for one-time-pad encryption.
Inventors: |
Berzanskis; Audrius;
(Cambridge, MA) ; Trifonov; Alexei; (Boston,
MA) |
Correspondence
Address: |
OPTICUS IP LAW, PLLC
7791 ALISTER MACKENZIE DRIVE
SARASOTA
FL
34240
US
|
Assignee: |
Magiq Technologies Inc.
171 Madison Avenue, Suite 1300
New York
NY
10016
|
Family ID: |
32869422 |
Appl. No.: |
10/544172 |
Filed: |
February 5, 2004 |
PCT Filed: |
February 5, 2004 |
PCT NO: |
PCT/US04/03299 |
371 Date: |
August 2, 2005 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
60445805 |
Feb 7, 2003 |
|
|
|
Current U.S.
Class: |
713/171 |
Current CPC
Class: |
H04L 7/0075 20130101;
H04L 9/0858 20130101; H04L 7/0008 20130101 |
Class at
Publication: |
713/171 |
International
Class: |
H04L 9/00 20060101
H04L009/00 |
Claims
1. A method for establishing a secure key between two stations, the
method comprising: a) exchanging single photon signals between two
quantum key distribution stations to form a plurality of raw keys
at each station; b) performing error correction and privacy
amplification on the raw keys to form a plurality of privacy
amplified keys at each station; c) buffering the privacy amplified
keys in each station to form matching key schedules at each
station; and d) forming at least one expanded key from a key
selected from the matching key schedules, wherein the at least one
expanded key is suitable for one-time pad encryption of information
to be exchanged between the two stations.
2. The method of claim 1, including: a) encrypting information
using the at least one expanded key as a one-time pad; and b)
transmitting the encrypted information between the two
stations.
3. A method of sending encrypted information between two stations,
comprising: a) establishing a raw key between the two stations
using quantum key distribution; b) establishing a privacy amplified
key from the establish raw key; c) providing the option of
encrypting data using a one-time pad based on either the privacy
amplified key as an unexpanded key, or an expanded version of the
privacy amplified key as an expanded key; and d) sending encrypted
information between the two stations using a one-time pad based on
either the unexpanded key or the expanded key.
4. The method of claim 3, including: a) expanding one or more of
the privacy amplified keys; and b) storing at each station the one
or more expanded keys in a key schedule.
5. The method of claim 3, including: a) storing at each station one
or more unexpanded keys in a first key schedule; b) storing at each
station one or more expanded keys in a second key schedule; and c)
encrypting information using one-time pads based on keys from at
least one of the first and second key schedules when raw keys
cannot be exchanged between the stations.
Description
CLAIM OF PRIORITY
[0001] This patent application claims priority from U.S.
Provisional Patent Application No. 60/445,805, filed on Feb. 7,
2003.
TECHNICAL FIELD
[0002] The present invention relates to quantum cryptography, and
in particular relates to key expansion methods applied to keys
established between quantum key distribution (QKD) stations for the
purpose of forming one-time pads for sending encrypted information
between the QKD stations.
BACKGROUND ART
[0003] Quantum key distribution involves establishing a key between
a sender ("Alice") and a receiver ("Bob") by using weak (e.g., 0.1
photon on average) optical signals transmitted over a "quantum
channel." The security of the key distribution is based on the
quantum mechanical principal that any measurement of a quantum
system in unknown state will modify its state. As a consequence, an
eavesdropper ("Eve") that attempts to intercept or otherwise
measure the quantum signal will introduce errors into the
transmitted signals, thereby revealing her presence.
[0004] The general principles of quantum cryptography were first
set forth by Bennett and Brassard in their article "Quantum
Cryptography: Public key distribution and coin tossing,"
Proceedings of the International Conference on Computers, Systems
and Signal Processing, Bangalore, India, 1984, pp. 175-179 (IEEE,
New York, 1984). A specific QKD system is described in U.S. Pat.
No. 5,307,410 to Bennet (the '410 patent).
[0005] The Bennett-Brassard article and the '410 patent each
describe a so-called "one-way" QKD system wherein Alice randomly
encodes the polarization of single photons, and Bob randomly
measures the polarization of the photons. The one-way system
described in the '410 patent is based on two optical fiber
Mach-Zehnder intefFerometers. Respective parts of the
interferometer are accessible by Alice and Bob so that each can
control the phase of the interferometer. The signals (pulses) sent
from Alice to Bob are time-multiplexed and follow different
paths.
[0006] U.S. Pat. No. 6,438,234 to Gisin (the '234 patent), which
patent is incorporated herein by reference, discloses a so-called
"two-way" QKD system that is autocompensated for polarization and
thermal variations. The two-way system is based on a folded
interferometer wherein the optical pulses traverse the same path
through the interferometer, but with a time-delay.
[0007] The general operation of a QKD system is described in the
book by Bouwmeester, Ekert and Zeilinger (Eds.) entitled "The
physics of quantum information," Springer-Verlag (2001), section
2.3. In the operation of the two-way phase-encoding system of the
'234 patent, Bob generates a single optical pulse and forms
therefrom two coherent pulses P1 and P2 that travel to Alice with a
time delay between the pulses. Alice attenuates the pulses to make
them weak and then randomly phase modulates one of the pulses (say
P1). Alice also reflects the pulses with a Faraday mirror so that
the polarization of each pulse is rotated by 90.degree. before
returning to Bob. The pulses return to Bob and in doing so traverse
the same round-trip path through the interferometer but in
different order. Bob then randomly phase-modulates the
yet-unmodulated pulse P2, and recombines the now-modulated pulses
P1 and P2. The combined pulses interfere, and the result of the
interference is detected in one of two detectors, depending on the
respective phases imparted to pulses P1 and P2 by Alice and Bob,
respectively. The detected pulses constitute Bob's measured
qubits.
[0008] After a sufficiently large number of qubits are exchanged
between Bob and Alice, Bob and Alice publicly compare the basis
used to encode each photon, and also discard photons that did not
arrive at Bob or Alice. Alice and Bob keep only those qubits
corresponding to the same phase-encoding basis. This forms the
sifted key. Alice and Bob then choose at random some of the qubits
in the sifted key to test for errors that reveal the presence of an
eavesdropper. These test qubits are then discarded. If there are no
errors, the remaining qubits form the shared key. At this point, an
operation called "privacy amplification" is typically performed.
This operation involves deducing the number of bits (.zeta.) by
which the (error-corrected) key k.sub.N of n bits needs to be
shortened so that any information an eavesdropper has about the
final key k.sub.F is lower than a specified value. Privacy
amplification further includes forming a binary matrix K of
dimension (n-.zeta.).times.n, publicly sharing this matrix, and
then performing k.sub.F=Kk.sub.N (mod 2) to arrive at the final key
k.sub.F.
[0009] Finally, an authentication step is typically performed
wherein a previously shared authentication key or code is used to
ensure that the Alice is really Alice and Bob is really Bob. This
authentication step can be performed at any point in the key
exchange process.
[0010] Using the above-described processes, the final key k.sub.F
has a given length. The length of the key k.sub.F dictates the
amount of information that can be encrypted. The secure key rate
from a QKD system is usually too low for commercially available
data transmission lines if one-time pad encryption is being used.
Also, the achievable data bandwidth is very low and is limited by
the key generation rate, which is around 1-10 kbps with present
technology. The technology of the present invention, set forth
below, presents a method that allows QKD to encrypt broadband
streams of data (up to 10 Gbps or more), thus providing a method
for expanding the key without having to send additional photons
over the system.
BRIEF DESCRIPTION OF THE DRAWINGS
[0011] FIG. 1 is a flow diagram that provides an overview of the
QKD processes of the present invention;
[0012] FIG. 2 is a flow diagram illustrating key sifting as run on
Alice's computer;
[0013] FIG. 3 is a flow diagram that continues from the flow
diagram of FIG. 2, and which illustrates key shuffling using a
modified Cascade protocol on Alice's computer;
[0014] FIG. 4 is a flow diagram that continues from the flow
diagram of FIG. 3, and that illustrates an example embodiment of
generating an error-free key on Alice's computer, based on
performing privacy amplification of the shuffled key;
[0015] FIG. 5 is a flow diagram that illustrates an example
embodiment of performing key sifting on Bob's computer;
[0016] FIG. 6 is a flow diagram that continues from the flow
diagram of FIG. 5, and that illustrates an example embodiment of
key shuffling using a modified Cascade protocol on Bob's
computer;
[0017] FIG. 7 is a flow diagram that continues from the flow
diagram of FIG. 6, and that illustrates an example embodiment of
generating an error-free key on Bob's computer by performing
privacy amplification of the shuffled key;
[0018] FIG. 8 is a flow diagram illustrating an example embodiment
of performing key expansion on a privacy amplified key;
[0019] FIG. 9a is a diagram of an exemplary key schedule for "Pad
Expansion Flag"=0, for the case when AES in CTR mode is used;
and
[0020] FIG. 9b is a diagram of an exemplary key schedule for "Pad
Expansion Flag"=1, for the case when AES in CTR mode is used.
DETAILED DESCRIPTION OF THE INVENTION
[0021] The present invention has industrial utility in the fields
of quantum cryptography, quantum key distribution, and data
encryption. In particular, the present invention has industrial
utility in combining quantum, cryptography and classical
cryptography. The present invention provides protection from not
only eavesdroppers that utilize passive tapping of transmitted
information from a carrier such as, but not limited to, an optical
photon, but from any type of intrusion attack including involved
active types of attacks wherein an eavesdropper probes the Alice
and Bob nodes (stations) using a probe signal sent through an
optical fiber used to transmit data.
[0022] As described in greater detail below, the present invention
includes a method for generating a cryptographically secure key
between two stations. An example method includes exchanging single
photon signals between two QKD stations to establish a plurality of
matching raw keys at each station. The method also includes
processing the raw keys using error correction and privacy
amplification, to establish matching privacy amplified keys at each
station. The method also includes buffering the privacy amplified
keys at each station to form matching key schedules. The method
further includes forming at least one expanded key from a key
selected from the key schedules, wherein the expanded key serve as
a one-time pad to encrypt information to be exchanged between the
two stations.
[0023] The discussion below assumes that the eavesdropper ("Eve")
is unlimited in her technological resources. The system is
optimized to provide maximal key generation rate in unconditional
security regime. As an example, the system described herein can be
implemented on a Pentium III, 500 MHz machine or better machines
(assuming that quantum layer clock does not exceed 10 MHz), and
also on a digital signal processor (DSP). A communication channel
of approximately 10 Mbit/s may be utilized (depending on quantum
layer clock rate and optical channel length).
[0024] Also, in the discussion below, the term "key" is
interchangeable with "pad" when the pad is the same length as the
key. However, generally speaking, a key is used to form a pad, say
by generating a string of bits to be used for data encoding. In
this case, the pad has a different length (i.e., number of bits)
than they key and is not the same as the key per se. However, in
the discussion below, an "expanded key" is used as a pad for
one-time pad encryption. Also, the term "expanded pad" is used
below and is the same as the "expanded key." The term "expanded
pad" is used to denote a pad that is expanded over a pad that would
be formed from an unexpanded key.
[0025] In an example embodiment, the method of present invention
includes a number of main algorithmic parts, including sifting,
error correction, privacy amplification and key expansion (or no
key expansion). The error correction protocol is optimized to
reveal as few bits on the public channel as possible. In addition,
the error correction protocol utilizes encryption (preferably
one-time pad) of bits sent over the public discussion (PD)
layer.
[0026] The privacy amplification method utilized herein implements
a multiplication by a random binary matrix. The matrix
multiplication is preceded by cryptographically strong sifted key
shuffling. The key expansion step uses a stream cipher.
QKD Process Overview
[0027] FIG. 1 is a flow diagram that provides a general overview of
the QKD process according to the present invention. With reference
to FIG. 1, to start a quantum key distribution (QKD) process, the
two parties involved (Alice and Bob) share initial secret
information that is required for authentication of a sifting
procedure. In the sifting stage, the two parties involved in QKD
exchange basis and single-photon detector `click` information.
[0028] In order to `fight quantum memory` the sifting process is
started with a delay of >1 s after bits are detected. Bob (the
party ultimately receiving photons) sends Alice (the party sending
photons) information about click time slots and basis information
for positions of the clicks. Alice responds with a stream of bits
encoding the `correct` bases for the `clicks`. Both parties
disregard the bits with `wrong` bases.
[0029] The sifting procedure is authenticated. For this purpose,
Alice and Bob form a string of bits that they are sending/receiving
in pre-agreed form and calculate message authentication code (MAC)
values of the string. If the latter values coincide, Alice and Bob
proceed to the error correction protocol. If the MAC values to not
coincide, they issue an intrusion or "attack alert."
[0030] Authentication may be performed by means of any strong
authentication procedure. Preferable procedures are the
unconditionally secure message authentication codes (for example,
UMAC).
[0031] Other possible authentication procedures can be based on
hash function SHA, RIPEMD (or other) based HMAC. The latter case is
not unconditionally secure. However, the parties can decide to
encrypt/partially encrypt the MAC by using a one-time pad with the
absolutely secure key they possess. This removes any possibility of
cracking the authentication. It is preferable to use some kind of
encryption for the whole sifting procedure, for example AES or
TDES.
[0032] With continuing reference to FIG. 1, the sifted key is
buffered until it reaches a number of bits high enough (e.g., 10 5
bits or more) to run the error correction protocol.
Cryptographically strong shuffling is then performed on the sifted
key stored in the buffer. Both parties (i.e., Alice and Bob) use
the same seed for the shuffling procedure, which they take from
their absolutely secure key buffer. In this way, an eavesdropper
has no information on a shuffling result. The seed is refreshed at
pre-agreed time moments. The shuffling step is utilized to
randomize the positions of errors that are needed for realization
of an efficient error correction protocol, to erase (preferably to
a very high degree) eavesdropper's information on specific bit
positions in the sifted key, and to prepare the sifted key for the
privacy amplification procedure.
[0033] The shuffling step is a security enhancement to the standard
BB84 protocols and in an example embodiment may be skipped if all
the data transmitted over public channel is encrypted.
[0034] The error correction utilized by the system is
characterized, among other ways, by the party correcting the errors
deciding on a number of passes of a Cascade protocol based on a
hash value provided by another party. After each pass through the
Cascade protocol, the party calculates the hash value on its buffer
and compares it to the received value. When the hash values
coincide, the Cascade is stopped. If the values do not coincide,
then another pass of Cascade is performed. In this way, fewer bits
have to be sent over the public channel, and the probability of
failure of Cascade to correct some errors is effectively zero. In
general, any hash function with good mixing properties may be used
(e.g., SHA, MD5). Another modification of the Cascade process
includes encrypting parity bits sent over the public discussion
layer. The hash value mentioned above should preferably be
encrypted as well. Therefore, an eavesdropper listening to the
communication over the public discussion layer (channel) does not
receive information on bit parities. It should be noted that
information on specific bit positions is, to a high degree, erased
in the shuffling step.
[0035] The outcome of the error correction procedure is buffered
for privacy amplification. This buffering may be required to adjust
different sizes of blocks in the error correction and privacy
amplification steps. Privacy amplification is performed as
multiplication of the error-corrected string by a fixed random
binary matrix M. The shuffling step enables maintaining the matrix
as fixed during QKD.
Quantum Key Generation at Alice
[0036] FIG. 2 [Alice-1], FIG. 3 [Alice-2], and FIG. 4 [Alice-3] are
flow diagrams of a quantum key generation process according to the
present invention as performed by Alice's computer, located at the
Alice node. Further "Alice's apparatus", "Alice's computer" and
"Bob's apparatus" and "Bob's computer" are referred to as "Alice"
and "Bob," respectively.
[0037] FIG. 2 [Alice-1] is a flow diagram illustrating a sifting
stage as run on Alice's computer. In 8-1, Alice receives quantum
layer key bits and bases from the RNG within Alice's apparatus. In
8-2, Alice receives click positions of single photon detectors at
Bob's apparatus (CPB), bases for clicks (BCB), and message
authentication code (MACB1) from Bob. In 8-3, Alice calculates her
message authentication code (MACA1) and compares it to Bob's
message authentication code (MACB1). In 8-4, MACB1 is compared to
MACB2. If the values of MACB1 and MACA1 coincide ("yes"), Alice
concludes that there was no attempt to tamper with data. If the
values of MACB1 and MACA1 do not coincide ("no"), the program
generates an attack alert at 8-5 and sends a warning to Bob at
8-6.
[0038] In the case that values of MACB1 and MACA1 coincide, in 8-7
Alice forms a correct basis positions string (CBPA) by checking
bases for coincidence and calculates a message authentication code
for CBPA (MACA2). In 8-8, CBPA and MACA2 are then sent to Bob.
Thereafter, in 8-9, Alice picks bits that correspond to correct
bases and discards the rest of the bits.
[0039] FIG. 3 [Alice-2] is a flow diagram that continues from the
flow diagram of FIG. 2, and contains buffering for sifting stage
and shuffling a modified Cascade, as an example, a protocol part of
the algorithm as run on Alice's computer. Following 8-9 of FIG. 2,
buffering is completed in 9-1. Then in 9-2, Alice performs
cryptographically strong shuffling utilizing the pre-agreed part of
the key. Then in 9-3, the shuffled string hash (ha) is calculated
and in 9-4 ha is sent to Bob.
[0040] For error correction, Alice uses the modified Cascade
protocol with one-time pad parity bit encryption at 9-5. Within
each run of 9-5, an Nth pass of modified Cascade algorithm is
communicated to Bob. After each pass of the modified Cascade
protocol of 9-5, Alice checks the status of coincided hash values
sent from Bob. If at 9-6 a new hash (h) and the old hash (ha) at
Bob's side do not coincide ("no"), a higher pass of the modified
Cascade is run. The process is stopped when coinciding hashes
("yes") are achieved at 9-6. In 9-7, results of error correction
may also be buffered.
[0041] The parties might decide to exchange some authenticated
information about their generated keys to ensure that there was no
spoofing during communication over the public channel.
[0042] FIG. 4 [Alice-3] is a flow diagram that continues from the
flow diagram of FIG. 3 and that illustrates the generation of
error-free key stage as run on Alice's computer. In 10-1, privacy
amplification is performed on the corrected bit string by
multiplication of the corrected bit stream by a fixed random binary
matrix M. This procedure generates the secure key. In 10-2, the
secure key is buffered synchronously to Bob's station and in 10-3
the secure key is outputted.
[0043] Buffering is a good measure against denial of service (DOS)
attack. In case of DOS attack, the stations issue an alarm to the
control center. For example, the stations can send a simple network
management protocol (SNMP) trap. The stations can then start using
buffered keys instead of QKD-generated keys until the DOS is
mitigated. The size of the buffer should be big enough to provide
the time for technical personnel to address the DOS problem. It
should be noted that standard implementation of quantum
cryptography is not resistant to DOS attacks.
Quantum Key Generation Process at Bob
[0044] FIG. 5 [Bob-1], FIG. 6 [Bob-2], and FIG. 7 [Bob-3] are flow
diagrams diagram for a quantum key generation process as performed
by Bob's computer. FIG. 5 [Bob-1] is a flow diagram that contains a
sifting stage as run on Bob's computer. In 11-1, Bob receives
quantum layer bases for clicks from RNG within Bob's apparatus
(BCB) and click positions (CPB) from the single photon detector(s)
through, for example, a 32 bit input/output port. In 11-2, a string
is formed for CPB and for BCB. In 11-3, for these strings Bob
calculates message authentication code (MACB1). In 11-4, Bob sends
Alice BPB, BCB and MACB1. In turn, in 11-5 Bob receives from Alice
CBPA and MACA2. In 11-6, for the data received, message
authentication code (MACB2) is once more calculated, and in 11-7
MACB2 and MACA2 are compared. If MACB2 and MACA2 do not coincide
("no"), an attempt of tampering with data occurred during data
transfer. In this case, the in 11-8 program generates an attack
alert and in 11-9 sends a warning to Bob and Alice. If MACB2 and
MACA2 do coincide ("yes") at 11-7, no attack happened during data
transfer. In this case, in 11-10 the program picks bits that
correspond to correct bases and discards the rest of the bits.
[0045] FIG. 6 [Bob-2] is a flow diagram that continues from the
flow diagram of FIG. 5 and that contains buffering for a sifting
stage and shuffling, and a modified Cascade protocol part of the
algorithm as run on Bob's computer.
[0046] In 12-1, the bits selected in 11-10 are buffered. After
buffering is completed, then in 12-2 cryptographically strong
shuffling utilizing the pre-agreed part of the key is performed. In
12-3, Bob receives hash from Alice and saves it (ha) in 124. For
error correction, in 12-5, Bob uses the modified Cascade protocol
with one-time pad parity bit encryption. Within each run of 12-5,
an Nth pass of the modified Cascade algorithm communication with
Bob takes place. Such data exchange assures parity bit encryption.
After each pass of the modified Cascade protocol of 12-5, a new
hash (h) is calculated in 12-6, and compared to the previous hash
(ha) in 12-7. If h and ha do not coincide ("no"), a higher pass of
the modified Cascade is run in 12-5. The process is stopped when
coinciding hashes are achieved ("yes") at 12-6. In this case Bob,
in 12-8 sends Alice a flag, which informs Alice that hash h and
hash ha coincided. In 12-9, results of error correction are also
buffered.
[0047] FIG. 7 [Bob-3] is a flow diagram that continues from the
flow diagram of FIG. 6 and contains a generation of error-free key
stage as run on Bob's computer. In 13-1 (which follows buffering
step 12-9), privacy amplification is performed on the corrected bit
string by multiplication of the corrected bit stream by a fixed
random binary matrix M. This procedure generates the secure key.
The secure key from 13-1 is then buffered in 13-2 and a key is
generated in 13-3.
[0048] Again, in case of a DOS attack, the stations issue an alarm
to the control center and follow the above-described procedure to
ensure continued operation.
Key Expansion
[0049] It should be noted that, in an example embodiment of the
present invention, an arbitrarily long key for one-time pad
encryption is produced, which increases the encrypted data
bandwidth. Strictly speaking, one-time pad-like encryption with the
expanded key is no longer one-time pad encryption. However, all the
operations a user has to perform to encrypt the data are identical
to the operations needed to implement one-time pad encryption, so
the term `one-time pad` is used herein.
[0050] As mentioned above, the secure key rate from a QKD system is
usually too low for commercially available data transmission lines
if one-time pad encryption is being used. At the same time, in many
cases using a one-time pad is an excess security measure.
Accordingly, the following describes a QKD device that comprises a
key expansion protocol in addition to the standard protocols of
QKD. This lets a user select between two regimes of QKD operation:
one-time pad and one-time expanded pad. In principle, a user can
expand a key only at the users site. However such a solution is
expensive and not necessarily safe, thus reducing the security
level of the QKD system. The present technique allows users to
choose between an expanded key regime and a one-time pad regime.
However, the key expansion itself is performed within the QKD
apparatus.
[0051] Current implementations of QKD suffer from a low key rate
that today is on the order of 1 kbit/sec. The key rate is defined
by the clock rate of the QKD device, imperfections of light
sources, finite efficiency of detectors, finite finesse of optical
elements, and losses in the optical fiber connecting the QKD
stations. Though technological advances will likely enable an
increase in the rate of secure bits, this rate will be lower than
the bandwidth of commercially available communication lines. This
prevents using QKD systems with one-time pad encryption on such
communication lines.
[0052] On the other hand, one-time pad is a natural encryption
choice when a QKD is used. A one-time pad encures ultimate
security, thus making one-time pad encryption and QKD combination
unbreakable. The drawback is that using a one-time pad limits the
data transmission bandwidth to that of the key rate.
[0053] In many cases, one-time pad encryption is excessive and
other classical symmetric key encryption techniques can be employed
with a QKD system. These techniques would require additional
hardware and/or software. The present invention concerns a QKD
system that does not provide specialized encryptors. Such systems
can be used in one-time pad encryption mode. The following
describes a feature of a QKD system ("one-time pad/expanded pad
switch") that enables the system to be used in either one-time pad
or expanded pad regimes. The one-time pad embodiment provides the
ultimate security delivered by quantum key distribution, while the
expanded pad regimes solves the problem of finite data bandwidth in
cases when one-time pad is not required.
[0054] A one-time pad/expanded pad switch can readily be added to a
QKD system. In many cases, it can be realized by software means on
existing QKD hardware. Preferably, both one-time pad and expanded
pad regimes use the same key distribution interface.
[0055] The QKD system can be seen as a perfect random number
generator producing the same random bits at two remote locations.
At the switch position `one-time pad,` the generated bits are sent
via interface to the user and for one-time pad encryption of a
particular message.
[0056] At a switch position `expanded pad` the random bits serve as
a seed for a cryptographically strong pseudo random number
generator that can be implemented on QKD hardware to produce a
pseudo random bit stream that is long enough to encrypt a message
and which, again, is sent via the same interface, to the user and
for one-time pad encryption of the message.
[0057] The communicating parties switch the regimes synchronously.
For synchronization, they can use any communication network in
their possession. For example, the party--Alice or Bob--that
requests key expansion, sets "Pad Expansion Flag"=1 for a
pre-agreed bit, and exchanges this bit with another party within
the accepted communication protocol between the two QKD stations.
The synchronization protocol also can be implemented in a QKD
device and can use the communication line of QKD. The party
transmitting the encrypted message informs the receiving party of
the encryption regime and, in case of expanded pad regime, the key
expansion ratio.
Example of Key (Pad) Expansion
[0058] Key expansion can be performed in a QKD device after the
privacy amplification protocol, or it can be combined with privacy
amplification step. FIG. 8 [Bob-31] is a flow diagram for the
embodiment where key expansion is performed after privacy an
amplification protocol, represented by 14-1. The privacy amplified
key is buffered in 14-2. In 14-3, the QKD system generates random
bit blocks r=r1, r2, . . . , rN. The cryptographically strong
pseudorandom number generator P stretches the bits blocks pi=P(ri),
producing a pseudorandom bit stream p=p1,p2, . . . ,pN. For the
pseudorandom number generator, one may use a type of stream cipher,
for example AES in CTR mode. The pseudorandom bit stream is used
for one-time pad encryption in expanded pad mode. This operation is
run on both QKD stations, i.e. at Bob and Alice. In 14-4, parties
check the value of the exchanged "Pad ExpansiQn Flag" bit. It
should be noted here that the term "Pad Expansion" is used to
denote expanding the key to form the (expanded) pad.
[0059] If "Pad Expansion Flag"=0, then the output is just a key as
generated during the QKD process. Having buffered keys is mind, the
key schedule with AES in Counter (CTR) mode has a structure "ID_1
Key_1; ID_2 Key_2; ID_N Key_N" (see FIG. 9a), where ID_I is a
number assigned to each key Key_I.
[0060] In 14-5, the expanded pad is outputted. If "Pad Expansion
Flag"=1, than the output is expanded key. Than the key schedule
with AES in CTR mode has a structure "ID_1 Key_1 Pad_1; ID_2
Key.sub.--2 Pad_2; . . . :ID_N Key_N Pad N" (see FIG. 9b), where
ID_I is a number assigned to each pair of Key_I and Pad_I. Pad_N is
a bit stream generated by means of AES-256 (Key_N) using AES in CTR
mode. There is no correlation of ID_N with either Key_N or Pad_N.
The key expansion ratio depends on the user's data bandwidth and
the key generation rate. Key data is never reused. Although a key
ID may be reused, its associated key data will always be
different.
[0061] Thus, in the present invention one-time pad encryption need
not be used to encrypt data whose bandwidth is higher than the key
generation rate. In other words, if the data bandwidth B is higher
than the key generation rate K, then we use K in combination with
some classical cryptographic methods. For example, K is split into
n 256 bit blocks-k1, k2, . . . , kn (n=K/256) (in that way n is a
number of 256 bit keys we can generate per second) and keys kj are
used with some classical encryption method to encrypt data for time
1/n seconds
[0062] Similar implementation can be achieved for other cipher
modes as well. For example, in CBC mode one would need to send the
Key_ID only and there is no need to send the offset. CBC mode
provides a higher data integrity check. If, for example, the
packets are being encrypted at OSI level 2, then the data forgery
after decryption will usually be noticed by OSI level 3 protocols.
In that way CBC mode provides much better data integrity check than
CTR mode. To implement CBC mode encryption, a user might need
specialized hardware.
[0063] It is worth noting that AES in CTR (as well as many other
block stream ciphers) has a known flaw in that it is subject to
data forgery or spoofing. Because of this, it is preferred that it
be used with a data authenticity mechanism to ensure that the data
has not been altered with out authorization.
[0064] The same implementation can be used with other stream
ciphers. It is worth noting that the stream ciphers, which provide
message authentication, can prevent data forgery and spoofing.
[0065] Pad expansion can be performed by cryptographically strong
pseudorandom generators (like block stream ciphers). The privacy
amplification step utilizes is a QKD protocol that produces a
perfectly secure bit stream from a partially secure bit stream.
This is usually achieved by applying some universal hash function
on the partially secure bits (e.g., Bennet, Brassard-Generalized
PA). The hash function compresses the bit stream in a way so that
eavesdropper has exponentially little information on the compressed
bits. To some extent, pad expansion `does the opposite.`
Specifically, pad expansion stretches the bit stream so that more
key bits are received at the output.
[0066] The expanded pad can be generated by modifying the privacy
amplification procedure by adjusting the compression ratio. The
latter reduces computational complexity and, thus, computational
resources of the hardware. As an example, one possible embodiment
involves the communicating parties applying a cryptographically
strong shuffling procedure on partially secure bits without
compression. The seed for the shuffling procedure can be exchanged
between the parties over any existing communication network that
the parties possess. The parties can agree on a one-time pad
encryption for the shuffling seed. Starting at this point, the
parties can seed a cryptographically strong pseudo random number
generator with the shuffled bits.
[0067] In accordance with an example embodiment of the present
invention, the receiver of the single-bit transmission is aware of
when the transmitter is going to transmit the encrypted data to the
receiver. It should be noted that in one example the transmitter is
transmitting the encrypted data to the receiver, while in another
example the receiver may instead be a transmitter, while the
transmitter acts as a receiver.
User Data Encryption
[0068] In an example embodiment, the present invention is used
perform data encryption in the following as manner outlined below.
At the encryption station (say, Bob), the station reads the user
data packet and determines the packet data size in bytes. The
encryption station then checks to see if the sum of the current
offset and the packet data size is less than the Pad size in bytes.
If not, the station jumps to the next key ID and resets the offset
to zero.
[0069] The encryption station then XORs the packet data with an
appropriate pad, starting from current offset value. It adds the
Key ID and offset information in unencrypted format to the packet.
The latter can be done by encapsulating the packet into another
packet, by adding an additional header, or by using some already
existing field of the data packet. The encryption station then
increases the current offset by the size of the encrypted data
packet and transmits the encrypted packet to the receiver.
[0070] At the decrypting station (say, Alice), the packets are read
and the Key ID and offset are extracted. The received data is then
XORed with the appropriate pad starting from the received offset
value. The receiver station then restores all packet headers (if
necessary), and passes the data to the user.
* * * * *